Chapter 25. Authentication and Interoperability

Directory Server now supports certificates with all ciphers supported by NSS

Due to a restriction in Directory Server, administrators could only use RSA and Fortezza ciphers. As a consequence, certificates created with a different cipher, such as ECC certificates, were not supported. This update removes this restriction. As a result, administrators can now use certificates with all ciphers supported by the underlying Network Security Services (NSS) database when configuring TLS in Directory Server. (BZ#1582747)

Directory Server correctly generates the CSN

In a Directory Server replication topology, updates are managed by using Change Sequence Numbers (CSN) based on time stamps. New CSNs must be higher than the highest CSN present in the replica update vector (RUV). In case the server generates a new CSN in the same second as the most recent CSN, the sequence number is increased to ensure that it is higher. However, if the most recent CSN and the new CSN were identical, the sequence number was not increased. In this situation, the new CSN was, except the replica ID, identical to the most recent one. As a consequence, a new update in the directory appeared in certain situations older than the most recent update. With this update, Directory Server increases the CSN if the sequence number is lower or equal to the most recent one. As a result, new updates are no longer considered older than the most recent data. (BZ#1559945)

The client-cert-request utility no longer fails to create CSRs for ECC certificates

Previously, the generatePkcs10Request method in the Certificate System's client-cert-request utility failed to map the curve and length parameters. Consequently, the utility failed to create certificate signing requests (CSR) for Elliptic Curve Cryptography (ECC) certificates. The problem has been fixed. As a result, using client-cert-request for creating CSRs for ECC certificates works as expected. (BZ#1549632)

The pkiconsole utility no longer accepts ACLs with an empty expression

The Certificate System server rejects saving invalid access control lists (ACL). As a consequence, when saving an ACL with an empty expression, the server rejected the update and the pkiconsole utility displayed an StringIndexOutOfBoundsException error. With this update, the utility rejects empty ACL expressions. As a result, invalid ACLs cannot be saved and the error is no longer displayed. (BZ#1546708)

CMC CRMF requests using ECC keys work correctly

Previously, during verification, Certificate System encoded the ECC public key incorrectly in CMC Certificate Request Message Format (CRMF) requests. As a consequence, requesting an ECC certificate with Certificate Management over CMS (CMC) in CRMF failed. The problem has been fixed, and as a result, CMC CRMF requests using ECC keys work as expected. (BZ#1580394)

Installing Certificate System subsystems with ECC keys no longer fail

Previously, due to a bug in the Certificate System installation procedure, installing a Key Recovery Authority (KRA) with ECC keys failed. To fix the problem, the installation process has been updated to handle both RSA and ECC subsystems automatically. As a result, installing subsystems with ECC keys no longer fail. (BZ#1568615)

Directory Server clients are no longer randomly restricted by anonymous resource limits

Previously, Directory Server did not remember when the first operation, bind, or a connection was started. As a consequence, the server applied in certain situations anonymous resource limits to an authenticated client. With this update, Directory Server properly marks authenticated client connections. As a result, it applies the correct resource limits, and authenticated clients no longer get randomly restricted by anonymous resource limits. (BZ#1515190)

Thread processing in Directory Server has been serialized

On an incoming replicated session, a replicated operation must only be processed when the previous one is completed. In certain situations, the thread which processed the start session operation continued to read and process replicated operations. Consequently, two replicated operations ran in parallel that led to inconsistencies, such as an completed child add operation before the parent entry was added. With this update, the thread processing the start session operation no longer processes further operations, even if some are available in the read buffer. As a result, the inconsistencies no longer occur in the mentioned scenario. (BZ#1552698)

Deleting the memberOf attribute in Directory Server works correctly

If an administrator moves a group in Directory Server from one subtree to another, the memberOf plug-in deletes the memberOf attribute with the old value and adds a new memberOf attribute with the new group's distinguished name (DN) in affected user entries. Previously, if the old subtree was not within the scope of the memberOf plug-in, deleting the old memberOf attribute failed because the values did not exist. As a consequence, the plug-in did not add the new memberOf value, and the user entry contained an incorrect memberOf value. With this update, the plug-in now checks the return code when deleting the old value. If the return code is no such value, the plug-in only adds the new memberOf value. As a result, the memberOf attribute information is correct. (BZ#1551071)

The PBKDF2_SHA256 password storage scheme can now be used in Directory Server

If a Red Hat Directory Server instance was installed using version 10.1.0 or earlier and subsequently updated, the update script did not enable the Password-Based Key Derivation Function version 2 (PBKDF2) plug-in. As a consequence, the PBKDF2_SHA256 password storage scheme could not be used in the nsslapd-rootpwstoragescheme and passwordStorageScheme parameter. This update automatically enables the plug-in. As a result, administrators can now use the PBKDF2_SHA256 password storage scheme. (BZ#1576485)

Directory Server no longer crashes when removing connections from an active list

Directory Server manages established connections in an active list. When a thread flags a connection for closing, the server waits until there are no active threads left on the connection to remove the connection from the active list. In certain situations, the number of active threads is less than the actual number of threads. In this scenario, Directory Server moves the connection out of the active list and flags it as invalid. Another remaining thread which detects that the connection is invalid also attempts to remove it from the active list. However, the code that removes the connection from the active list expects that the connection has valid list pointers. If the pointers are invalid because the connection is not on the active list, Directory Server terminates unexpectedly. With this update, the server checks that the list pointers are valid before using them. As a result, the server no longer crashes when attempting to remove a connection from the active list. (BZ#1566444)

The Disk Monitoring feature shuts down Directory Server on low disk space

Due to changes in the way Directory Server sets the error log level, the Disk Monitoring feature in Directory Server failed to detect that the error log level was set to the default level. As a consequence, Directory Server did not correctly shut down when the file system was full. The way the Disk Monitoring feature checks the error level has been updated. As a result, Disk Monitoring now correctly shuts down the server if the disk space is low. (BZ#1568462)

Directory Server no longer logs a warning when searching a non-existent DN in entrydn attributes

Previously, searches for a non-existent distinguished name (DN) set in the entrydn attribute caused Directory Server to log a warning in the error log. With this update, the server correctly handles situations when an entrydn attribute fails to find a match. As a result, the server no longer logs a misleading warning. (BZ#1570033)

The pwdhash utility no longer crashes when using the CRYPT password storage scheme

Previously, the pwdhash utility used an invalid mutex lock when creating a hash using the CRYPT password storage scheme. As a consequence, pwdhash failed with a segmentation fault error. With this update, the utility uses the re-entrant form of the crypt() function that does not require a lock. As a result, pwdhash no longer crashes when using the CRYPT password storage scheme. (BZ#1570649)

The Directory Server Pass-through plug-in now supports encrypted connections using the STARTTLS command

Previously, the Pass-through plug-in in Directory Server did not support encrypted connections if the encryption was started using the STARTTLS command. The problem has been fixed, and the Pass-through plug-in now supports connections that use the STARTTLS command. (BZ#1581737)

Using the password policy feature works correctly if chain on update is enabled

On a Directory Server read-only consumer, the Password must be changed after reset password policy setting was not enforced because the flag for marking the user that must change their password is set on the connection itself. If this setting was used with the chain on update feature, the flag was lost. As a consequence, the password policy feature did not work. With this update, the server sets the flag on chain on update connections properly. As a result, the password policy feature works correctly. (BZ#1582092)

Improved performance when the fine-grained password policy is enabled in Directory Server

When a search evaluates the shadowAccount entry, Directory Server adds the shadow attributes to the entry. If the fine-grained password policy is enabled, the shadowAccount entry can contain its own pwdpolicysubentry policy attribute. Previously, to retrieve this attribute, the server started an internal search for each shadowAccount entry, which was unnecessary because the entry was already known to the server. With this update, Directory Server only starts internal searches if if the entry is not known. As a result, the performance of searches, such as response time and throughput, is improved. (BZ#1593807)

Directory Server now retrieves members of the replica bind DN group when the first session is started

Directory Server replicas define entries that are authorized to replicate updates to the replica itself. If the entries are members of the group set in the nsds5replicabinddngroup attribute, the group is retrieved periodically based on the interval set in the nsDS5ReplicaBindDnGroupCheckInterval attribute. If the entry is not a member at the time the server retrieves the group, any session that is authenticated using this entry is not authorized to replicate updates. This behavior remains until the entry becomes a member of the group and the server retrieves the group again. As a consequence, replication fails for the first interval set in nsDS5ReplicaBindDnGroupCheckInterval. With this update, the server retrieves the group when the first session is started rather than when the replica is created. As a result, the group is taken into account at the first attempt it is checked. (BZ#1598478)

Creating a Directory Server back end with the name default is now supported

Previously, the name default was reserved in Directory Server. As a consequence, creating a back end named default failed. With this update, Directory Server no longer reserves this name, and administrators can create a back end named default. (BZ#1598718)

Updated Directory Server SNMP MIB definitions

Previously, the Simple Network Management Protocol (SNMP) Management Information Base (MIB) definitions provided by the 389-ds-base package did not conform to the Structure of Management Information Version 2 (SMIv2) defined in RFC 2578. As a consequence, the lint utility reported errors. The definitions have now been updated, and as a result, the MIB definitions comply with the SMIv2 specification (BZ#1525256)

rpc.yppasswdd now updates passwords also with SELinux disabled

Previously, when the SELinux security module was disabled on the system, the rpc.yppasswdd update function failed to perform the update action. As a consequence, rpc.yppasswdd was unable to update the user password. With this update, rpc.yppasswdd checks whether SELinux is enabled on the system before detecting the SELinux context type for the passwd files. As a result, rpc.yppasswdd now correctly updates passwords in the described scenario. (BZ#1492892)

The default of the nsslapd-enable-nunc-stans parameter has been changed to off

Previously, the nucn-stans framework was enabled by default in Directory Server, but the framework is not stable. As a consequence, deadlocks and file descriptor leaks could occur. This update changes the default value of the nsslapd-enable-nunc-stans parameter to off. As a result, Directory Server is now stable. (BZ#1614501)